FreeBSD Afterinstall
From MediaWiki
Contents |
Overview
- Use local files (rc.conf.local, rc.local etc) for updating configuration information where possible. This makes mergemaster(8) much easier while upgrading the system.
uname(1)
FreeBSD partvarious-lx.eglbp.corp.domain.com 8.0-CURRENT FreeBSD 8.0-CURRENT #6: Sun Oct 14 20:45:43 IST 2007 shanu@partvarious-lx.eglbp.corp.domain.com:/usr/obj/usr/home/src/sys/MYKERNEL i386
Update Path Settings
Update $PATH in ~/.cshrc with /usr/local/{bin,sbin}
[121:~] shanu% grep path .tcshrc set path = ( [..] /usr/local/bin /usr/local/sbin )
- Dont *delete* any existing entries, just append to it.
- This is only for (t)csh
Sudo(8) Access
I am very picky about being root, so the first thing I do is to get sudo installaed and configured.
> pkg_add -r sudo > visudo
### sudoers ### # Override builtin defaults Defaults syslog=auth,timestamp_timeout=60,!set_logname # Uncomment to allow people in group wheel to run all commands %wheel ALL=(ALL) ALL
- Add yourself to the wheel group
> id uid=13788(shanu) gid=13788(shanu) groups=13788(shanu), 0(wheel)
rc.conf
- Move rc.conf to rc.conf.local and zero out rc.conf
cd /etc cp rc.conf rc.conf.local truncate -s 0 rc.conf
Update User Accounts
- Add $USER with correct UID (match with office UNIX UID)
- Add $USER to groups wheel and operator
Update Sendmail
- Update sendmail.mc
- UPdate aliases
- Regen .cf
> cd /etc/mail > make install > make restart
Update fstab(5)
- Update fstab to include USB, NTFS, nfs/smb mounts, proc and linprocfs mounts
linprocfs /compat/linux/proc linprocfs rw 0 0 linsys /compat/linux/sys linsysfs rw 0 0 proc /proc procfs rw 0 0
# filer //guest@filer/storage /mnt/filer smbfs rw,noauto,-I192.168.44.3,-N,-WshanuNet 0 0 /dev/ad0s1 /mnt/windows ntfs ro 0 0 buffy.bangalore.corp.domain.com:/home/mp3 /mnt/mp3 nfs ro,noauto 0 0 buffy.bangalore.corp.domain.com:/home/stuff /mnt/stuff nfs ro,noauto 0 0
# usb /dev/da0s1 /mnt/usb0 msdosfs rw,noauto 0 0 /dev/da1s1 /mnt/usb1 msdosfs rw,noauto 0 0
tunefs(8)
- Tune /home for space (was speed)
> tunefs -L home -m 5 -o space -l enable /home
= locate.updatedb(8)
- Run the script manually for the first time
> cd /etc/periodic/weekly/ > ./310.locate
Devices
sound(4)
- Setup the sound device
[partvarious-lx] ~> grep snd /boot/loader.conf.local snd_ich_load="YES"
CDROM
- Enable DMA transfers on the CDROM device
- chown /cdrom to $USER
### rc.local ### atacontrol mode acd0 WDMA2
> sudo atacontrol mode acd0 current mode = WDMA2
> chown shanu /cdrom
Wireless
Atheros 5416 MacBook Pro Wireless
http://wiki.freebsd.org/AppleMacbook
Intel Pro Wireless 2200 BG
iwi0: <Intel(R) PRO/Wireless 2200BG> mem 0xb0107000-0xb0107fff irq 18 at device 6.0 on pci6
- See iwi(4).
- Install net/iwi-firmware-kmod for the firmware and load it up as below
### loader.conf.local if_iwi_load="YES" iwi_bss_load="YES" # dont think this is needed
> ifconfig iwi0
iwi0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet6 fe80::215:ff:fe47:a723%iwi0 prefixlen 64 scopeid 0x2
inet 192.168.44.10 netmask 0xffffff00 broadcast 192.168.44.255
ether 00:15:00:47:a7:23
media: IEEE 802.11 Wireless Ethernet autoselect (OFDM/54Mbps)
status: associated
ssid XXXXX channel 6 bssid 00:14:bf:d4:85:06
authmode OPEN privacy ON deftxkey 1 wepkey 1:40-bit txpowmax 100
bmiss 10 protmode CTS bintval 100
Wireless-G Notebook Adapter WPC54G V3 (PCMCIA)
ndis0: <Wireless-G Notebook Adapter WPC54G V3> mem 0x90010000-0x90011fff irq 10 at device 0.0 on cardbus1
pci bus 0x0004 cardnum 0x00 function 0x00: vendor 0x14e4 device 0x4318 Broadcom Corporation BCM4318 [AirForce One 54g] 802.11g Wireless LAN Controller CardVendor 0x1737 card 0x0048 (Linksys WPC54G-EU version 3 [Wireless-G Notebook Adapter]) STATUS 0x0000 COMMAND 0x0006 CLASS 0x02 0x80 0x00 REVISION 0x02 BIST 0x00 HEADER 0x00 LATENCY 0xa8 CACHE 0x00 BASE0 0x90010000 addr 0x90010000 MEM MAX_LAT 0x00 MIN_GNT 0x00 INT_PIN 0x01 INT_LINE 0x0a BYTE_0 0x01 BYTE_1 0x00 BYTE_2 0xc2 BYTE_3 0x07
- See ndis(4)
- The kld is built from the following Windows NDIS drivers - BCMWL5.SYS and LSBCMNDS.inf
[partvarious-lx] ~> ifconfig ndis0
ndis0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether 00:18:f8:f9:a7:9c
inet 192.168.43.10 netmask 0xffffff00 broadcast 192.168.43.255
media: IEEE 802.11 Wireless Ethernet autoselect (OFDM/54Mbps)
status: associated
ssid Beastie channel 6 (2437 Mhz 11g) bssid 00:14:bf:e7:0d:cf
authmode OPEN privacy OFF txpowmax 100 bmiss 7 scanvalid 60
protmode CTS roaming MANUAL
Networking
rc.conf.local
hostname="faith.shanu.net" # Networking ifconfig_iwi0="wpa DHCP" ifconfig_rl0="DHCP" # ifconfig_rl0="DHCP ether 00:14:38:06:FD:7A" background_dhclient_iwi0="YES"
- The iwi(4) driver is loaded via loader.conf.local
- The wireless settings are managed using wpa_supplicant(8)
wpa_supplicant.conf
[faith] ~> cat /etc/wpa_supplicant.conf
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel
network={
ssid="shanuNet"
scan_ssid=1
key_mgmt=NONE
wep_tx_keyidx=0
wep_key0=xxxxxxxx
}
#network={
#ssid="taps"
#key_mgmt=WPA-PSK
#psk="xxxxxxxxx"
#}
[faith] ~> ps axw|grep wpa 412 ?? Ss 0:00.73 /usr/sbin/wpa_supplicant -B -q -i iwi0 -c /etc/wpa_supplicant.conf -D bsd -P /var/run/wpa_supplicant/iwi0 31929 p1 R+ 0:00.00 grep wpa
loader.conf.local
The iwi driver does not seem to be fully MPFASE causing me frequent lockups. I have disabled it on -CURRENT as below
debug.mpsafenet="0" > uname -a FreeBSD faith.shanu.net 7.0-CURRENT FreeBSD 7.0-CURRENT #11: Sat Dec 9 11:56:55 IST 2006 shanu@faith.shanu.net:/usr/obj/usr/src/sys/MYKERNEL i386
Updating src/ports
csup(1)
csup(1) is a cvsup client written in C and part of the base OS. It's a much lighter replacement for the tool devel/cvsup.
> sudo /usr/bin/csup -L2 /etc/supfile
supfile
- /etc/supfile # create if it does not exist
### supfile ### *default host=cvsup6.FreeBSD.org *default base=/var/db *default prefix=/usr *default release=cvs tag=. *default delete use-rel-suffix # src-all # this tracks HEAD (-CURRENT) - use with care ports-all # this should be ok
- WARNING: The above supfile will take you to -current.
buildworld/buildkernel
make.conf(5)
### make.conf ### CPUTYPE?=pentium4 CFLAGS= -O -pipe COPTFLAGS= -O -pipe PERL_VER=5.8.8 PERL_VERSION=5.8.8 WITH_GTK2=yo WITHOUT_MOZILLA=yo WITHOUT_DEBUG=yes WITH_GECKO=firefox WITH_CPUFLAGS=yes WITH_OPTIMIZED_CFLAGS=yes WRKDIRPREFIX=/home/mp3/tmp
Build World
> cd /usr/src > sudo make buildworld > sudo make buildkernel > sudo make installkernel > sudo reboot > sudo make installworld > sudo mergemaster
Upgrade Ports
> sudo portupgrade -a -i
- Do a full OS upgrade using the GENERIC kernel. Once the system is stable, switch to MYKERNEL.
- Update ports after building world to avoid dependency problems after the OS upgrade
- See PortUpgrade for more on portupgrade(1)
Kernel
Bootstrap Configuration
loader.conf(5)
### loader.conf.local ### sound_load="YES" snd_ich_load="YES" i915_load="YES" ichsmb_load="YES" acpi_video_load="YES" atapicam_load="YES" if_bridge_load="YES" bridgestp_load="YES" if_tap_load="YES" if_iwi_load="YES" wlan_load="YES" wlan_wep="YES" iwi_bss_load="YES" kqemu_load="YES"
- kqemu, iwi etc are in ports/
MYKERNEL
Build
> cd /sys/i386/conf/ > sudo cp GENERIC MYKERNEL > cd /usr/src > sudo make buildkernel KERNCONF=MYKERNEL > sudo make installkernel KERNCONF=MYKERNEL
Additions to MYKERNEL
### MYKERNEL ### cpu I686_CPU ident MYKERNEL
- Debug
# Debugging for use in -current options KDB # Enable kernel debugger support. options DDB # Support DDB. options GDB # Support remote GDB. #options INVARIANTS # Enable calls of extra sanity checking #options INVARIANT_SUPPORT # Extra sanity checks of internal structures, required by INVARIANTS #options WITNESS # Enable checks to detect deadlocks and cycles #options WITNESS_SKIPSPIN # Don't run witness on spinlocks for speed
- ALTQ
# altq(9). Enable the base part of the hooks with the ALTQ option. # Individual disciplines must be built into the base system and can not be # loaded as modules at this point. ALTQ requires a stable TSC so if yours is # broken or changes with CPU throttling then you must also have the ALTQ_NOPCC # option. options ALTQ options ALTQ_CBQ # Class Bases Queueing options ALTQ_RED # Random Early Detection options ALTQ_RIO # RED In/Out options ALTQ_HFSC # Hierarchical Packet Scheduler options ALTQ_CDNR # Traffic conditioner options ALTQ_PRIQ # Priority Queueing options ALTQ_NOPCC # Required if the TSC is unusable #options ALTQ_DEBUG
- Misc
options INCLUDE_CONFIG_FILE # Include this file in kernel
sysctl.conf(5)
### sysctl.conf ### #security.bsd.see_other_uids=0 debug.cpufreq.lowest=425 vfs.usermount=1 #hw.acpi.reset_video=0 #hw.acpi.verbose=0 hw.syscons.sc_no_suspend_vtswitch=0
Filesystem
devfs(8)
devfs(8) allows device permissions to be persistant across reboots. Below are some standard entries to devfs.conf to make things work for non-root users.
### devfs.conf ### # Commonly used by many ports link acd0 cdrom perm acd0 0666
# cdrecord to work as non-root link cd0 cdrecorder perm cd0 0666 perm xpt0 0666 perm pass0 0666 perm tap? 0660
# Allow a user in the wheel group to query the smb0 device #perm smb0 0660
# Allow members of group operator to cat things to the speaker #own speaker root:operator #perm speaker 0660
[system=10] add path 'unlpt*' mode 0660 group cups add path 'ulpt*' mode 0660 group cups add path 'lpt*' mode 0660 group cups
Network File Systems
rpcbind_enable="YES" rpc_lockd_enable="YES" nfs_client_enable="YES" nfs_server_enable="YES"
fstab(5)
# Device Mountpoint FStype Options Dump Pass# /dev/ad0s4b none swap sw 0 0 /dev/ad0s4a / ufs rw 1 1 /dev/ad0s1 /mnt/win ntfs ro 0 0 /dev/ad0s2 /mnt/dos msdosfs ro 0 0 /dev/ad0s4d /usr ufs rw,noatime 2 2 /dev/acd0 /cdrom cd9660 ro,noauto 0 0 # NFS buffy:/home/mp3 /home/mp3 nfs rw,noauto 0 0 # LINUX_COMPAT linproc /compat/linux/proc linprocfs rw 0 0 linsys /compat/linux/sys linsysfs rw 0 0
Compiler Settings
rc.conf.local
WITH_CPUFLAGS=yes WITH_OPTIMIZED_CFLAGS=yes # /usr/local/share/doc/ccache/ccache-howto-freebsd.txt .if (!empty(.CURDIR:M/usr/src*) || !empty(.CURDIR:M/usr/obj*)) && !defined(NOCCACHE) CC=/usr/local/libexec/ccache/world-cc CXX=/usr/local/libexec/ccache/world-c++ .endif WITH_CCACHE=yes #NOCCACHE=yes
.cshrc.local
# /usr/local/share/doc/ccache/ccache-howto-freebsd.txt setenv PATH /usr/local/libexec/ccache:$PATH setenv CCACHE_PATH /usr/bin:/usr/local/bin setenv CCACHE_DIR "/usr/.ccache"
devel/ccache
[faith] ~> pkg_info -x ccac Information for ccache-2.4_6: Comment: A tool to minimize the compile time of C/C++ programs Description: ccache is a compiler cache. It acts as a caching pre-processor to C/C++ compilers, using the -E compiler switch and a hash to detect when a compilation can be satisfied from cache. This often results in a 5 to 10 times speedup in common compilations.
[faith] ~> portinstall devel/ccache
[faith] ~> ccache -s cache directory /usr/.ccache cache hit 10 cache miss 437 called for link 21 compile failed 1 not a C/C++ file 22 autoconf compile/link 45 no input file 32 files in cache 874 cache size 7.7 Mbytes max cache size 976.6 Mbytes
Security And Firewall
pf(4)
# Firewall pf_enable="YES" pf_rules="/etc/pf.conf.local" pflog_enable="YES"
pf.conf.local
# Macros buffy="10.80.37.171" # office box dsl="192.168.44.1" # ADSL Router wifi="192.168.44.2" # Linksys WiFi Router
table <devices> const { 192.168.44.1, 192.168.44.2 }
table <vlans> const { 192.168.45.0/24 }
set block-policy return
# normalize packets scrub in all
# nat on iwi0 [qemu] nat on iwi0 from <vlans> to any -> (iwi0)
# lo0 is trusted set skip on lo0
# default block everything block in log all label "block-all" block out log all label "block-all"
# pass in ICMP pass in proto icmp from any to any keep state label "icmp"
# allow syslog from <devices> pass in proto udp from <devices> to any port syslog keep state label "syslog"
# office box pass in from $buffy to any keep state label "buffy"
# pass in ssh pass in proto tcp from any to any port ssh keep state label "ssh"
# pass in DNS traffic
pass in proto { tcp, udp } from any to any port domain keep state label "domain"
# pass in HTTP pass in proto tcp from any to any port http keep state label "http" pass in proto tcp from any to any port https keep state label "https"
# pass in bittorrent
pass in proto { tcp, udp } from any to any port 6881:6999 keep state label "torrent"
# pass in Multicast DNS
pass in proto { tcp, udp } from any to 224.0.0.251 port mdns keep state label "mdns"
# pass in 1900 from the DSL router pass in proto udp from $dsl to any port 1900 keep state label "dsl-bcast"
# pass in UPnP
pass in proto { tcp, udp } from any to any port 5000 keep state label "uPnP"
# pass in iTunes pass in proto tcp from any to any port 3689 keep state label "iTunes"
# trust 192.168.45.0/24: Thats our qemu subnet pass in on tap0 from <vlans> to any keep state label "vlans"
# allow outbound pass out from any to any keep state pass out from any to any keep state
hosts_access(5)
### hosts.allow ### ALL: LOCAL : allow ALL: 127.0.0.0/255.255.255.0 : allow ALL: 10.80.37.171 : allow sshd: 192.168.44.0/255.255.255.0 : allow sshd: 192.168.45.0/255.255.255.0 : allow sshd: 192.168.77.0/255.255.255.0 : allow sshd: 10.0.0.0/255.255.0.0 : allow sshd: PARANOID : allow syslogd: 192.168.44.0/28 : allow ALL: ALL: deny
Logging
syslogd(8)
Allow remote logging from specified devices.
### rc.conf.local ### # 192.168.44.1 is the DSL router configured for remote logging syslogd_flags="-n -a 192.168.44.1:* -a 192.168.44.2:*"
### syslog.conf ### #+192.168.44.1 *.* /var/log/dsl.log #+192.168.44.2 *.* /var/log/wifi.log
sudo touch /var/log/{dsl,wifi}.log
Monitoring
Smart Monitoring
$ sudo portinstall sysutils/smartmontools $ sudo cp /usr/local/etc/smartd.conf.sample /usr/local/etc/smartd.conf $ grep smartd /etc/rc.conf.local smartd_enable=YES $ sudo /usr/local/etc/rc.d/smartd start
[faith] ~> /usr/local/sbin/smartctl -a /dev/cd0 smartctl version 5.37 [i386-portbld-freebsd7.0] Copyright (C) 2002-6 Bruce Allen Home page is http://smartmontools.sourceforge.net/ Smartctl: please specify device type with the -d option. Use smartctl -h to get a usage summary [faith] ~> /usr/local/sbin/smartctl -a /dev/ad0|head smartctl version 5.37 [i386-portbld-freebsd7.0] Copyright (C) 2002-6 Bruce Allen Home page is http://smartmontools.sourceforge.net/ === START OF INFORMATION SECTION === Device Model: ST960812A Serial Number: 5PJ0VQWQ Firmware Version: 3.05 User Capacity: 60,011,642,880 bytes Device is: Not in smartctl database [for details use: -P showall] ATA Version is: 6 [faith] ~>
X Windows
> sudo portinstall x11/xorg > sudo portinstall x11-wm/enlightenment-devel > sudo portinstall x11/gnome2-lite > sudo portinstall x11/kde-lite
- See the main page for more X Windows and related applications
